[
https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917515#action_12917515
]
angela commented on JCR-2748:
-----------------------------
i would rather add a configuration option to this specific access control
provider (similar to the other providers).
the patch adding the config option to the security manager seems wrong to me.
the current default ac-provider setup in case of missing configuration just
reflects the state of jackrabbit 1.6 where users were stored in a separate,
dedicated workspace and
i didn't change it for backwards compatibility reasons. in the mean time i
changed the user management in a way that users having access to a given
workspace can be stored in that workspace, which makes things a lot easier [see
JCR-2313].
> provide a (relatively) simple way to disable anonymous access to the security
> workspace
> ---------------------------------------------------------------------------------------
>
> Key: JCR-2748
> URL: https://issues.apache.org/jira/browse/JCR-2748
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Reporter: Justin Edelson
> Attachments: JCR-2748.patch
>
>
> As discussed in this thread:
> http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is,
> by default, configured with an AccessControlProvider which provides a fixed
> access control policy (i.e.
> o.a.j.core.security.user.UserAccessControlProvider). In order to prevent
> anonymous access to security-related nodes requires the use of an alternate
> AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the
> security workspace is forbidden.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
